ESRC attributes a May 2019 spear-phishing attack against users of a major South Korean cryptocurrency exchange to Kimsuky. The lure impersonated an exchange event prize notice and delivered a password-protected malicious HWP file named as a personal-information consent form. Inside the document, a BIN0001.eps PostScript component contained shellcode and an encoded EXE that contacted hellojames.sportsontheweb.net for additional payloads. ESRC linked the operation to prior Kimsuky tradecraft through matching form-data strings, XOR 0xFF-encrypted follow-on files, VMProtect packing, and exfiltration of victim information to a South Korean Hanmail account.